Set feature-policy to iframe after insertion

Question

I have this issue when try request fullscreen in Firefox.

Request for fullscreen was denied because of FeaturePolicy directives

I am trying to set the allow attribute in iframe node from allow='autoplay; fullscreen' to allow='autoplay; fullscreen *' in javascript with setAttribute function before the page loaded and it's work well, but when I set it after the page loaded and it's not work. I see DOM changed the value, but it has no effect. I tried to reload the iframe by change the source to the same, but it will go blank after reload.

Answer 1

As the test shows, changing the allow= attribute by the script does not change the Feature Policy permissions that acts inside the iframe.
That's because permissions from the allow= attribute are applied at the stage of DOM builds.

Therefore you have to reload the iframe content to apply the changed Feature Policy permissions.
Reloads the iframe content do the job - new permissions are applied. Try to do like that:

iframe = document.getElementById('id_of_frame');
iframe.setAttribute('allow', "autoplay; fullscreen *;");
iframe.src = iframe.src;

Note that allow="fullscreen" does allow exactly the same as allow="fullscreen *", both means all elements inside iframe are allowed to have full-screen mode.

That's because for <iframe> the fullscreen * permission transforms to the fullscreen 'src' one, where 'src' represents the origin of the URL in the iframe’s src= attribute.
You can observe this in the above test or check it by yourself:

// array of allowed origins for 'fullscreen' feature:
var origins = featurePolicy.getAllowlistForFeature('fullscreen');

Inside the <iframe src='https://example.com' allow="fullscreen *"> the origins will be https://example.com but not *.

The wildcard * makes sense in Feature Policy HTTP header only - in case of fullscreen * it allows full-screen mode inside any of <iframe src='...'> on the page.